Family Zone / Linewize VDP
Vulnerability Disclosure Policy

Introduction

Family Zone believes in providing the ability for good faith security researchers to report security vulnerabilities that they find. We want to work with researchers so they can assist us in protecting the data of our customers as well as the confidentiality, integrity and availability of our products, services and systems. We believe that no system is perfect and want to help researchers report findings to protect those that trust us with their data and protection. Your participation in our Vulnerability Disclosure Policy program is voluntary. By submitting a report or otherwise disclosing a vulnerability to us , you are indicating that you have read and agree to follow the rules set forth on this page.

Target audience

Family Zone accepts good faith reports of security vulnerability findings from any source including, but not limited to, cyber security researchers and our customers.

Severity assessment, prioritization & response

Any vulnerabilities reported to Family Zone will be assessed for severity using the CVSS (Common Vulnerability Severity Scoring) framework. This severity assessment combined with contextual assessments forms the priority of a vulnerability.

All legitimate vulnerabilities reported via this form will be triaged, mitigated, remediated or accepted according to internally defined and agreed processes which govern the effective handling of vulnerabilities discovered within our environments.

Family Zone will respond to any legitimate reports which are received via this form, and will work with researchers to help maintain the privacy and safety of our customers.

Disclosure Policy

• When conducting vulnerability research according to this policy, we consider this research to be:
  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.
• You are expected, as always, to comply with all applicable laws.
• Please do not discuss any vulnerabilities (even resolved ones) outside of the program without consent from the Family Zone Security team unless they are made public.
• We appreciate your help and promise to treat you as a friend and ally as long as you act in good faith.
• If you have any concerns or questions about this safe harbor policy, please contact our security team directly (You can find our contact details in our RFC9116 compliant security.txt file).

Program Rules

• Please provide detailed reports with reproducible steps.
• Do not access, impact, destroy or otherwise negatively impact Family Zones customers, or customer data in any way.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder. Respect our users’ privacy.
• If, during your testing, you gain access to another user’s data, immediately discontinue testing and notify us. No data belonging to another user should be extracted or shared.
• No extortion, shake downs, or duress.
• Don’t leave any system in a more vulnerable state than you found it.
• Be respectful when interacting on reports with our team.
• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
• When a vulnerability consists of different parameters but having the same API endpoint please group this together in the same report.
• When a vulnerability is occurs to a third party integration (such as Zendesk, etc.) we will treat all reports as a single report.
• Social Engineering is not allowed.
• Do not exceed the defined scope of this policy when performing testing, testing is strictly only permitted within the scope defined on this page.

Scope

Education

• Web Apps
  • https://classroom.us-1.familyzone.io/
  • https://schoolmanager.us-1.familyzone.io/
• Chrome Extensions
  • https://chrome.google.com/webstore/detail/jofaicpppkjkpjlcjlchplmeeligmnoc
  • https://chrome.google.com/webstore/detail/dlmbdohbeedcgkjdpnpebgdocjjanbmk
• Desktop Agents
  • https://www.familyzone.com/laptops

Consumer

• Web Apps
  • https://portal.familyzone.com/
• Chrome Extensions
  • https://chrome.google.com/websz/familiestore/detail/connect-for-chrome-commun/flahkgamhlgdgpoikkdjemmkdbcipflf
• Mobile Apps
  • https://play.google.com/store/apps/details?id=au.com.familyzone
  • https://apps.apple.com/au/app/family-zone-parental-controls/id1062506254
• Desktop Agents
  • https://www.familyzone.com/laptops

Out of Scope

• *.cybersafetyhub.*
• Degradation of our production services.
• Social engineering of customers or employees.

Getting Access

Submission Form